diff options
author | startx2017 <vradu.startx@yandex.com> | 2017-09-05 08:13:25 -0400 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-09-05 08:13:25 -0400 |
commit | 16497087c03e68c46b54247fda6e4e03f8e52d34 (patch) | |
tree | 7269e726126d1614cc60cc103cfc33466f596496 | |
parent | Merge pull request #1530 from smitsohu/snap (diff) | |
parent | wireshark needs cap_dac_override (diff) | |
download | firejail-16497087c03e68c46b54247fda6e4e03f8e52d34.tar.gz firejail-16497087c03e68c46b54247fda6e4e03f8e52d34.tar.zst firejail-16497087c03e68c46b54247fda6e4e03f8e52d34.zip |
Merge pull request #1526 from smitsohu/caps
tighten some capability sets further
-rw-r--r-- | etc/dnscrypt-proxy.profile | 2 | ||||
-rw-r--r-- | etc/dnsmasq.profile | 1 | ||||
-rw-r--r-- | etc/unbound.profile | 2 | ||||
-rw-r--r-- | etc/wireshark.profile | 3 |
4 files changed, 5 insertions, 3 deletions
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile index a1ccfbe22..86af9c7b3 100644 --- a/etc/dnscrypt-proxy.profile +++ b/etc/dnscrypt-proxy.profile | |||
@@ -17,7 +17,7 @@ include /etc/firejail/disable-passwdmgr.inc | |||
17 | include /etc/firejail/disable-programs.inc | 17 | include /etc/firejail/disable-programs.inc |
18 | 18 | ||
19 | caps | 19 | caps |
20 | # caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot,sys_resource | 20 | # caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot |
21 | no3d | 21 | no3d |
22 | nodvd | 22 | nodvd |
23 | nonewprivs | 23 | nonewprivs |
diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile index ce159c343..d4cd0530e 100644 --- a/etc/dnsmasq.profile +++ b/etc/dnsmasq.profile | |||
@@ -17,6 +17,7 @@ include /etc/firejail/disable-passwdmgr.inc | |||
17 | include /etc/firejail/disable-programs.inc | 17 | include /etc/firejail/disable-programs.inc |
18 | 18 | ||
19 | caps | 19 | caps |
20 | # caps.keep net_admin,net_bind_service,net_raw,setgid,setuid | ||
20 | no3d | 21 | no3d |
21 | nodvd | 22 | nodvd |
22 | nonewprivs | 23 | nonewprivs |
diff --git a/etc/unbound.profile b/etc/unbound.profile index afc903e88..2a38aa7c6 100644 --- a/etc/unbound.profile +++ b/etc/unbound.profile | |||
@@ -17,7 +17,7 @@ include /etc/firejail/disable-passwdmgr.inc | |||
17 | include /etc/firejail/disable-programs.inc | 17 | include /etc/firejail/disable-programs.inc |
18 | 18 | ||
19 | caps | 19 | caps |
20 | # caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot,sys_resource | 20 | # caps.keep net_bind_service,setgid,setuid,sys_chroot,sys_resource |
21 | no3d | 21 | no3d |
22 | nodvd | 22 | nodvd |
23 | nonewprivs | 23 | nonewprivs |
diff --git a/etc/wireshark.profile b/etc/wireshark.profile index 57f4f2f5b..f1a17ba93 100644 --- a/etc/wireshark.profile +++ b/etc/wireshark.profile | |||
@@ -12,7 +12,7 @@ include /etc/firejail/disable-devel.inc | |||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | # caps.drop all | 15 | caps.keep dac_override,net_admin,net_raw |
16 | netfilter | 16 | netfilter |
17 | no3d | 17 | no3d |
18 | # nogroups - breaks unprivileged wireshark usage | 18 | # nogroups - breaks unprivileged wireshark usage |
@@ -21,6 +21,7 @@ no3d | |||
21 | nodvd | 21 | nodvd |
22 | nosound | 22 | nosound |
23 | notv | 23 | notv |
24 | novideo | ||
24 | # protocol unix,inet,inet6,netlink | 25 | # protocol unix,inet,inet6,netlink |
25 | # seccomp - breaks unprivileged wireshark usage | 26 | # seccomp - breaks unprivileged wireshark usage |
26 | shell none | 27 | shell none |